# Monitor for Console Sign In Without Multi-factor Authentication (MFA) This scenario walks you through how to use the AWS Management Console to create an Amazon CloudWatch alarm that is triggered when a console sign in is made without multi-factor authentication. #### Create a Metric Filter 1. Open the CloudWatch console at . 2. In the navigation pane, choose **Logs**. 3. In the list of log groups, select the check box next to the log group that you created for CloudTrail log events. 4. Choose **Create Metric Filter**. 5. On the **Define Logs Metric Filter** screen, choose **Filter Pattern** and then type the following: ``` { $.eventName = "ConsoleLogin" && $.additionalEventData.MFAUsed = "No" } ``` Note For more information about syntax for metric filters and patterns for CloudTrail log events, see the JSON-related sections of [Filter and Pattern Syntax](https://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/FilterAndPatternSyntax.html) in the Amazon CloudWatch User Guide. 6. Choose **Assign Metric**, and then on the **Create Metric Filter and Assign a Metric** screen, in the **Filter Name** box, enter **ConsoleSignInWithoutMfa** 7. Under **Metric Details**, in the **Metric Namespace** box, enter **CloudTrailMetrics**. 8. In the **Metric Name** field, enter **ConsoleSignInWithoutMfaCount**. 9. Choose **Metric Value**, and then type **1**. Note If **Metric Value** does not appear, choose **Show advanced metric settings** first. 10. When you are finished, choose **Create Filter**. #### Example: Create an Alarm These steps are a continuation of the previous steps for creating a metric filter. 1. On the **Filters for *****`Log_Group_Name`*** page, next to the filter name, choose **Create Alarm**. 2. On the **Create Alarm** page, provide the following values.![ CloudWatch Logs Create Alarm Wizard ](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/images/cw-alarm-wizard-console-signin-without-mfa.png) | Setting | Value | | ------------------------------------------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | ![](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/images/callout_1.png) | Console Sign In Without MFA | | ![](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/images/callout_2.png) | 1 | | ![](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/images/callout_3.png) | 1 | | ![](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/images/callout_4.png) | 5 Minutes | | ![](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/images/callout_5.png) | Sum | | ![](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/images/callout_6.png) | Near the **Select a notification list** box, choose **New list**, and then type a unique topic name for the list. | | ![](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/images/callout_7.png) | Choose **Email list**, and then type the email address to which you want notifications sent. (You will receive an email at this address to confirm that you created this alarm.) | 3. When you are finished, choose **Create Alarm**. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://labs.cloudsecops.com/cloud-security/monitor-for-console-sign-in-without-multi-factor-authentication-mfa.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.